Earlier, network security architectures were designed with the enterprise data centre as the focal point. However, changing times and evolving digital businesses have driven new IT architectures like cloud and edge computing and new norms like work-from-anywhere, which have inverted access requirements, with more users, devices, applications, services and data located outside an enterprise rather than inside. Further, the network security models based on data centre perimeter security are ill-suited to address the dynamic needs of a modern digital business and its distributed digital workforce. Therefore, the legacy perimeter architecture must transform into a set of cloud-based, converged capabilities created when and where an enterprise needs them – that is, a dynamically created, policy-based secure access service edge (SASE). SASE offerings provide policy-based access to the internet, software-as-a-service (SaaS) apps and enterprise private apps (on-premises or infrastructure-as-a-service [IaaS]) all at the same time.
However, migration towards an SASE framework is not easy and requires security and risk management leaders to build a migration plan to outline the transition from the legacy perimeter and hardware-based offerings to an SASE model. Once this plan is set in action, the adoption of the SASE model will become easier. For instance, as per Gartner, at least 60 per cent of enterprises will have explicit strategies and timelines for SASE adoption by 2025, encompassing user, branch and edge access up from 10 per cent in 2020.
Key features of the SASE model
To protect anywhere, any time access to digital capabilities, security must become software-defined and cloud-delivered, forcing changes in the security architecture and vendor selection. However, perimeter-based approaches to securing anywhere, anytime access have resulted in a patchwork of vendors, policies and consoles, creating complexity for security administrators and users. In this scenario, enterprises that consider existing skill sets, vendors and products and timing of hardware refresh cycles as migration factors will reduce their SASE adoption time frame by half. SASE is a pragmatic and compelling model that can be partially or fully implemented. Branch office transformation projects, including software-defined wide area network (SD-WAN), multiprotocol label switching (MPLS) offload, and internet-only branch and associated cost savings, are part of the SASE project scope.
Adoption trends
Industry and client interest in SASE has exploded, primarily driven by existing enterprise needs being unmet by vendors. After Gartner published its initial research on the SASE market, the percentage of end-user enquiries mentioning SASE grew from 3 per cent in 2019 to 15 per cent in 2020 across the total number of end-user conversations on related security topics. This growth in interest continued in January 2021, with 17 per cent of end-user calls mentioning SASE across the same set of related markets. Moreover, there have been significant vendor consolidations, acquisitions and announcements to build out a complete SASE portfolio, with more expected over the next 12-24 months.
However, enterprise transition to a complete SASE model will take time. The reality is enterprises have existing investment in hardware that is not fully amortised and software contracts with remaining time. Hardware refresh cycles at branch offices average five to seven years. Relationships and staff expertise with incumbent vendor offerings is another factor. Most large enterprises have separate network security and network operations teams, further complicating SASE adoption. Finally, not every vendor claiming to offer a SASE product currently delivers all of the required and recommended SASE capabilities. Moreover, not all of an SASE vendor’s capabilities are at the same level of functionality and maturity.
Existing gaps
The most significant gaps that will inhibit SASE migration include:
- Organisational silos, existing investments and skills gaps: These are the biggest gaps that must be considered in migration planning. A full SASE implementation requires a coordinated and cohesive approach across network security and networking teams. For mid-size enterprises, this is an easier problem to address as a separate security team may not exist. In large organisations, these organisational structures, budgeting processes and responsibilities are quite rigid. Some vendors will be replaced and the associated skill sets will need to be repurposed towards policy creation in collaboration with business processes and application owners.
- Architecture: SASE solutions are cloud-delivered, but vendors vary in the degree of “cloud nativeness” of their architecture. Legacy appliance and virtual appliance architectures need to be broken down into smaller, scalable components. The use of public cloud IaaS for points of presence (PoPs) versus owning PoPs is a difference among SASE providers that may impact adoption for some regions. Every enterprise has different requirements for compliance, and has privacy requirements for the inspection of data, storage of logs and routing of traffic. Geographic dispersion and the number of enforcement points will also impact the ability of an SASE provider to commit to availability and latency service-level agreements.
- Sensitive-data visibility and control: This is a high-priority capability, but one of the most difficult problems for SASE vendors to address. Of the vendors converging on the SASE opportunity, cloud access security broker (CASB) providers have the most experience in dealing with sensitive data visibility and control. Even then, gaps remain. In the case of on-premises data stores and sensitive data stored at end points, sending data to a third party for sensitive-data identification is not a sustainable or cost-effective option. This capability must be delivered natively by the SASE offering, and provide options for the inspection of sensitive data.
- SASE security services maturity: For the next several years, SASE capabilities will vary widely. Enterprises need to prioritise their needs for converged capabilities versus the need for continued best-of-breed capabilities until the gaps are closed. Some vendors are offering SASE to fill gaps with partnerships, but daisy chaining of services and/or network function virtualisation to deliver this is not a sustainable long-term option. Partnerships are tenuous as markets merge and former partners begin competing directly.
- Limited number of comprehensive SASE offerings: At the start of 2021, less than 10 SASE offerings provided all of the core capabilities. Over the next five years, acquisitions and further market consolidation will address these gaps. As an interim step, converged security vendors that avoid the direct requirements of SD-WAN are being pressured by customers to address branch office access needs. They could provide a subset of SD-WAN capabilities, such as bandwidth prioritisation and content inspection.
Roadmap for SASE adoption
Security and risk management leaders res-ponsible for infrastructure security should develop a roadmap for the adoption of SASE capabilities and offerings. This roadmap comprises key steps that need to be taken in the short as well as the long term. The key short-term recommendations include:
- Deployment of zero trust network access (ZTNA) to augment or replace the legacy virtual private network (VPN) for remote users, especially for high-risk use cases.
- Inventory equipment and contracts to implement a multi-year phase-out of on-premises perimeter and branch hardware in favour of cloud-based delivery of SASE capabilities.
- Consolidation of vendors and reduction of costs and complexity as contracts renew for secure web gateways, CASBs and VPN. A converged market that combines these security edge services must be leveraged.
- Actively engage with initiatives for branch office transformation and MPLS offload in order to integrate cloud-based security edge services into the scope of project planning.
Meanwhile, the long-term recommendations are:
- Consolidate SASE offerings to a single vendor or two explicitly partnered vendors.
- Implement ZTNA for all users regardless of location, including in the office or in the branch.
- Choose SASE offerings that allow control of where inspection takes place, how traffic is routed, what is logged, and where logs are stored to meet privacy and compliance requirements.
- Create a dedicated team of security and networking experts with a shared responsibility for secure access engineering spanning on-premises, remote workers, branch offices and edge locations.s
Based on a research paper by Gartner